Last updated: December 1, 2021
A key question concerning IT documentation is: Which are the legal requirements and what precisely must be documented? First of all, this depends on the industry sector of your company. Banks, financial service providers, and insurance companies, for example, are subject to the Minimum Requirements for Risk Management (MaRisk) in Germany. Companies operating in the medical field know a number of industry-specific regulations. Moreover, there are general requirements, such as the Fiscal Code of Germany or the Generally Accepted Principles of Computerized Accounting Systems (GoBS) from which IT documentation obligations can also be derived. Reporting companies are further required—based on the general accounting requirements—to establish the inventory documentation (e.g. a fixed assets register must be maintained both for hardware and software).
To put it in a nutshell: Due to the various laws and regulations, there is the obligation to run an IT company properly and focused on IT security, availability, and data protection. In addition, numerous legal requirements or other obligations define the necessity of active contingency planning. For example, the executive boards of major corporations in Germany are bound by the Gesetz zur Kontrolle und Transparenz im Unternehmensbereich (Control and Transparency in Business Act) to perform adequate risk management. This, in turn, requires that the company has taken sufficient precaution against crises and emergencies. Finally, every corporate management is bound, among others by the Limited Liability Companies Act (GmbH-Gesetz), to avert damage from the company. This also includes adequate contingency management.
IT documentation – a sine qua non for optimizing processes
Focusing exclusively on the legal requirements, however, entails a certain risk: The IT documentation is often limited to the minimum required for the audit, filed, and then forgotten (until the next audit). This happens quite often, disregarding the fact that an up-to-date, process-oriented IT documentation represents added value and effectively supports the operation of your IT. The fact that it allows you to better train new employees is only one aspect to it.
In an era characterized by staff cuts, improved efficiency, and cost savings, IT departments, too, are more and more compelled to “justify their existence.” This includes providing evidence of an effective and lean organization. The focus here is on service orientation (thus responding to the customer’s needs) as well as process orientation. However, processes can only be optimized if they have been documented. Otherwise, there is a risk of everybody modifying their tasks as they like, hence acting one way today and another way tomorrow. This at least severely hampers or even prevents measuring the benefits of a process.
IT documentation is also important for SMBs
As you can see, service and process-oriented IT operation is based on targeted IT documentation. And this is not only true for major companies boasting a large IT department. Especially if the administrator acts as a “lone wolf” and/or external service providers are responsible for operating the IT, companies are completely off the track if they think they can do without IT documentation. In this case, the non-availability of the sole administrator or of the service provider can put the existence of the entire company at risk. It is thus worthwhile to go beyond the question “What are the legal documentation requirements for my company?” and consider IT documentation as an investment into your own business.
For more on this topic: Professional IT documentation with Docusnap